FP replace SRX (filter between users and DC )
users GW on Nex3K

nx3K >> firepower >> ACI

If "Firepower under ACI" then serves graph and full routing changes, then l3out to NX3K
in order to provide full visibility >> all GW must be on ACI

option 1 : FP out , IT , HR and user come from FP >> all in EBG and contracts between them.
option 2 :FP in with 2 legs(2 zones) for DC and 1 leg for internet, DMZ and all connected to FP as l3out on ACI , Serv graph .. nx with users as l3out.
		flexbility

DC FW ( E W traffic .. App to app ) , Premiter(edge)( N S Traffic .. app to internet or app to users) FW

DC FW ( ACI , gives up to L4 FW) , Premiter FW ( FP )
to rach full FW features , FW required for DC to be connected on ACI and contracts ( redirect contracts) and serv graph to be config




how to segregate traffic in ACI : 
	Multble or single BD
	,,  ,, ,, subnet
	,, ,, ,, EBG


All app with same firewalling policies , same app >> to be in same EBG


Not all VMS in DC
FP(old SRX) >> has two legs 1- production 2- DEV and TEST

All Vms devided >> TEST to Production must go to FP then >> Serv graph on ACI <<

12 DMZ config on FW ( FP or SRX ) 

subnets on nx >> users , MGT , IT >> all core level and no FireWalling



Migration:

ACI config 
L2 extention with old core 6500 to migrate VMs to ACI
Test VMs to be ingected during migration before prod Vms
down time during routing and GW activation on ACI




for SRX to FP migration
Link from ACI to SRX or Link from FP to SRX >> to route all remaining zones on SRX


VMware standard licence not enterprise >> will work on virtual sw not VDS


App team:

if app clustered or not >> one one migration >> eliminate Downtime
to select final EBGs

11 host in DC and 3 DR
create virtual sw to create port Group ,, require new Vnics   !! essa 
FI to old and new enviroment 
remove VM from PG . put in new PG >> then VM migrated on ACI



=====


NX >> all buiding and all users





LL desigen to be shared 
Migration plan to be shared

